Is there any better documenation that the User Guide and Getting Started guide? I would like some advanced info on exactly what QAInspect is testing for/on when running tests such as SQL Injection, etc.
Jason;
Ref: User Guide bundle https://download.hpsmartupdate.com/qainspect/
The only official documentation besides those you mentioned (and available at the link above) would be the on-line Help files (*.CHM) that are installed with QAInspect, particularly "QAInspect_QualityCenter.CHM". This forum will not permit me to post a file that large, so I will seek some alternative route.
Within the QAInspect help file you may find the article "Web Application Attacks and Methodologies" applicable.
Unofficially, all of our products share the same framework and attack database, "SecureBase". This means that any discussion of the HP WebInspect attacks or its crawling capabilities will apply equally to HP QAInspect.
The only caveat to that would be the product versioning. We tend to implement the newest features into WebInspect first, with the other products being brought up to par after that release. For that reason, QAInspect 5.1 can be thought of as being equivalent to WebInspect 7.x, as WebInspect 8.0 and AMP 8.0 just came out in April of this year and there have been no updates to QAInspect since April. The primary improvements in WebInspect 8 (that are lacking in QAInspect 5.1) would be performance improvements, advancements in the parsing and auditing of script events, static analysis of Flash files (Action Script 3 SWF files), advanced Reporting and the new Report Designer, and UI improvements.
That's very helpful, thank you.
I installed WebInspect to have a look at it, and one of it's security tools is Policy Manager which contains all of the vulnerabilities I assume contained in the SecureBase database. This is exactly what I needed so hopefully it's of use to someone else looking for the specifics of what QAInspect tests against.